In the New Fight Against Malware, It’s Spy vs. Spy

Cybersecurity teams are in a tough spot. New, insidious types of malware are emerging all the time (more than 800 million total million malware seen in 2019). In many cases, corporate security programs simply don’t have the resources to keep up with these new threats.

Malware authors have essentially become master spies, developing code that cleverly tries to detect analysis attempts by enterprise security tools and waits for just the right moment to strike.

Cloud Native Now

To deal with this challenge effectively and help their customers protect valuable information such as intellectual property (IP) and personal client data, security vendors need to enable defenders to become spies themselves.

Malware has continued to grow in sophistication, with cybercriminals driven in large part by the desire to profit from attacks. Even as defenses have become more advanced, so, too, have the attackers and their methods.

From the perspective of the malware author, evading detection by antivirus software is a necessary but hardly sufficient condition for a successful attack. With organizations deploying layered defenses, including detection and blocking technologies based on behavioral analysis, the latest malware must also be able to detect analyses attempts.

Although the infection vectors have multiplied over time, some vendors, most prominently Microsoft, have actually done a good job securing operating systems. Malware authors have, for the most part, given up trying to conduct drive-by infections of desktops and instead rely on social engineering to launch attacks.

Rather than the operating systems, however, applications have become the prime target of malware authors.

It’s difficult, and getting even more difficult, to compromise an operating system such as Windows. Either the malware has to stealthily compromise an application or social engineering has to convince a user to override operating system prompts and alerts. Cybercriminals increasingly are relying on zero-day vulnerabilities, which they can purchase on the black or grey markets.

Best Practices for Effective Spying

IT and security organizations within enterprises need to adopt several practices to succeed in the fight against malware—in effect becoming better spies than the bad guys.

One basic practice that should go without saying, but often gets neglected, is to always patch when necessary. Likewise, if a company is not running the latest, updated version of AV and associated definitions, the product will be ineffective against the latest threats.

It’s a common assumption that AV is no longer a viable security solution and that the approaches AV uses are easily bypassed. This is not true; it still serves a purpose, detecting, blocking and remediating the majority of malware. But the most sophisticated and newest malware, for which there is no signature and which might leverage zero days, typically can only be detected by dynamic (behavioral) analysis.

That leads to the next practice: Leveraging the latest malware sandbox analysis methods to detect and stop malware.

Seemingly not that long ago, blacklists were all that was needed to defend against malware. Today, malware is being built with features to recognize that it’s being run in a virtualized environment. The latest sandbox technology uses a hypervisor-based monitoring approach, which doesn’t modify the analysis environment. This fools the malware to think it’s running in a real environment. With this approach, incident response teams will get full visibility into malware behavior and actionable threat intelligence.

One security company that provides managed detection and responses services is using a malware analysis platform to map its customers’ online presence just like a threat actor would, detecting potential security issues before they hit the customers.

The platform automatically builds and maintains different analysis environments and provides security analysts with a quick and comprehensive overview into the capabilities of even the most sophisticated malware. This enables the analysts to make fast decisions when investigating the potential security issues of customers.

Another good practice is to create an organizational culture in which the security team is always thinking in terms of beating the cybercriminals to the punch (e.g. red teaming), and where senior executives understand the value of proactive security.

Cybersecurity today needs to be proactive, not reactive. Instilling this idea within security teams helps promote the idea that the battle against bad actors can be won—it just takes initiative and creativity.

Also as part of this effort, security leaders need to sell senior management on the concept of being proactive about security. In many cases security programs are already losing the battle to increasingly sophisticated malware writers, and malware continues to grow more complex and difficult to stop.

The way to stay ahead is to spy on the bad guys first, detecting their actions before they can do the detecting. With the right approach and the right tools, any security team can become a group of master spies and protect its organization against the latest malware attacks.

Chad Loeven

Chad Loeven

Chad Loeven has been involved in enterprise security for over 20 years. Prior to VMRay he managed technology alliances at RSA, the security division of EMC. He came on board RSA via its acquisition of Silicium Security and Silicium's ECAT ETDR (Endpoint Threat Detection and Response) technology where he ran sales and marketing. Prior to Silicium he ran Sunbelt Software's Advanced Technology Group (ATG), bringing to market the CWSandbox malware analyzer and Sunbelt's ThreatTrack threat intel feeds. Sunbelt was acquired by GFI, and is now ThreatTrack Security. As president of VMRay Inc. he oversees operations and all sales and marketing activities worldwide outside of Germany.

chad-loeven has 1 posts and counting.See all posts by chad-loeven

Cloud Capabilities Poll